1. External Penetration Testing
  1. Penetration Testing of Windows

  2. Self-testing Security

  3. Laptop Hacking

2. Enterprise Penetration Testing
  1. Penetration Testing of your VPN

  2. Domain Controller Penetration Testing

  3. Tools; Metasploit

  4. Choosing a penetration Testing Supplier

3. CISCO Penetration Testing
  1. Introduction to CISCO Penetration Testing

  2. Scan & Fingerprint

  3. Credentials Guessing

  4. Connect

  5. Vulnerability Assessment

  6. Further your attack

  7. CISCO Command Reference

CISCO Penetration Testing Methodology

  1. Introduction to CISCO penetration testing
  2. Scan & Fingerprint
  3. The purpose of 'Scan & Fingerprint' is to identify open ports on the target device and attempt to determine the exact IOS version. This then sets the plan for further attacks.

    It Telnet is active, then password guessing attacks should be performed.
    If SNMP is active, then community string guessing should be performed.

  4. Credentials Guessing
  5. If a network engineer/administrator has configured just one Cisco device with a poor password, then the whole network is open to attack. Attempting to connect with various usernames/passwords is a mandatory step to testing the level of security that the device offers.

    Attempt to guess Telnet, HTTP and SSH account credentials.
    Once you have non-privileged access, attempt to discover the 'enable' password.
    Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

  6. Connect
  7. Once you have identified the access credentials, whether that be HTTP, Telnet or SSH, then connect to the target device to identify further information.

    If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

  8. Vulnerability Assessment
  9. To check for known bugs, vulnerabilities or security flaws with the device, a good security scanner can be used.

    Nessus3 is pretty good for this although there are many other alternatives such as:
    GFI LanGuard
    Core Impact

    There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug:

  10. Further your attack
  11. To further the attack into the target network, some changes need to be made to the running-config file of the target device.

    There are two main categories for configuration files with Cisco routers - running-config and startup-confg.

    running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.

    startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.

    Once you have access to the config files, you will need enable (privileged mode) access for this, you can add an access list rule to allow your IP address into the internal network.

    The following ACL will allow the defined <IP> access to any internal IP address.
    #> access-list 100 permit ip <IP> any

    So if the router is protecting a web server and an email server, this ACL will allow you to pass packets to those IP addresses on any port. Therefore you should be able to port scan them efficiently.

  12. CISCO Command Reference

To receive your CISCO Vulnerability Assessment , please submit your payment of $1999.00 If more than 100 miles of travel will be required, the additional cost will be billed separatelly.

Business Name:
Contact Information:
Email Address:
URL or IP address:

Other members of our business group:

COPYRIGHT (C) 2000 - 2011 InfoSecPro.com ALL RIGHTS RESERVED